I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

A piece of keystroke-sniffing software called Carrier IQ has been embedded so deeply in millions of HTC and Samsung-built Android devices that it’s tough to spot and nearly impossible to remove, as 25-year old Connecticut systems administrator Trevor Eckhart revealed in a video Tuesday.

That’s not just creepy, says Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School. He thinks it’s also likely grounds for a class action lawsuit based on a federal wiretapping law.

“If CarrierIQ has gotten the handset manufactures to install secret software that records keystrokes intended for text messaging and the Internet and are sending some of that information back somewhere, this is very likely a federal wiretap.” he says. “And that gives the people wiretapped the right to sue and provides for significant monetary damages.”

As Eckhart’s analysis of the company’s training videos and the debugging logs on his own HTC Evo handset have shown, Carrier IQ captures every keystroke on a device as well as location and other data, and potentially makes that data available to Carrier IQ’s customers. The video he’s created (below) shows every keystroke being sent to the highly-obscured application on the phone before a call, text message, or Internet data packet is ever communicated beyond the phone. Eckhart has found the application on Samsung, HTC, Nokia and RIM devices, and Carrier IQ claims on its website that it has installed the program on more than 140 million handsets.

Update: Nokia and RIM have both denied installing the software on any of their handsets.

Specifically, Ohm points to changes made to the Wiretap Act under the Electronic Communications Privacy Act of 1986 that forbid acquiring the contents of communications without the users’ consent. “Because this happens with text messages as they’re being sent, a quintessentially streaming form of communication, it seems like exactly the kind of thing the wiretap act is meant to prevent,” he says. ”When I was at the Justice Department, we definitely prosecuted people for installing software with these kinds of capabilities on personal computers.”

Carrier IQ didn’t respond to my request for comment, but the firm has posted a response statement on its website, claiming that it collects only limited “operational information” on devices for its carrier customers:

While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools. The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties. The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities

Former Justice Department prosecutor and University of Colorado Law School professor Paul Ohm

But even if the data were somehow aggregated and anonymized before being communicated to a remote server, Ohm argues, Carrier IQ and possibly even Sprint and other carriers shown to have used the company’s services should still expect a costly class action lawsuit. “Even if they were collecting only anonymized usage metrics, it doesn’t mean they didn’t break the law,” says Ohm. “Then it becomes a hard, open question. And hard open questions take hundreds of thousands of dollars to make go away.”

“In the next days or weeks, someone will sue, and then this company is tangled up in very expensive litigation,” he adds. “It’s almost certain.”

If the case went to court, Carrier IQ’s first line of defense might be that users have agreed to some form of tracking in their contract with one of Carrier IQ’s cellular carrier customers. But when I reached Eckhart by phone, he pointed out that in his tests, he turned on the phone’s airplane mode, shutting down its cellular connection and using only Wifi. Even then, the app seemed to record all his keystrokes and communications as they happened. “[Sprint] defines their service as their network,” he says, referring to his own tests on his Sprint-connected HTC Evo. “I don’t understand how my phone on my own wireless network is their service, and how they have the right to look at that.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

Agreed! This is outrageous. Phone carriers and phone devices should only be allowed to keep aggregate data and information (number of calls, number of texts, time to make calls, etc). And that data must be encrypted with very tight access controls!! Vormetric is the best solution for doing this.

This is a scandal and the government with the phone companies in the article are in operation with each other. I am a virtual human traffick victim that has my privacy invaded as a consumer product and stock purchase to wall street. My life has been secret transmitted to porn sites and the government and Corporations don’t want to have me obtain that info so this happens to my products that I buy which are wiretaps. The Nixon Administration is still here and in full force and you may be like me. Please, sign this petition and send to the people on the list at http://www.change.org/petitions/us-government-wall-street-financial-firms-and-corporations-stop-the-crimes-and-abuse-against-michelle-mathis.

You know, at first I would’ve believed that this is solely a performance monitoring program, although it still needs a way to op out of it. But then they went and issued an unlawful cease and desist order to try to pressure the guy investigating the software into staying quiet, including demands for him to publicly apologize and state that all his findings were lies. They clearly knew that they were violating laws and were afraid. Now I just hope their company goes bankrupt and the owners face prison time for breaking federal law. I really can’t stand corporations that think they can illegally threaten people with frivolous lawsuits knowing that most people don’t have the ability to defend themselves.

Government and Corporations with those in this article are holding me hostage as a virtual porn star. I have a samsung phone and they wiretap all my products in order that I don’t obtain evidence on myself. I am seen on kiddie porn sites (Hard Candy) and can not get the evidence so they monitor all communications. Law enforcement knows and continue help the efforts with Spy satellites and electronic wiretaps in my home. Other people have this happening to them and are sold as consumer products and stocks on wall street markets. I need your support to sign this petition and send to the people on the list at This is a scandal and the government with the phone companies in the article are in operation with each other. I am a virtual human traffick victim that has my privacy invaded as a consumer product and stock purchase to wall street. My life has been secret transmitted to porn sites and the government and Corporations don’t want to have me obtain that info so this happens to my products that I buy which are wiretaps. The Nixon Administration is still here and in full force and you may be like me. Please, sign this petition and send to the people on the list at http://www.change.org/petitions/us-government-wall-street-financial-firms-and-corporations-stop-the-crimes-and-abuse-against-michelle-mathis.

Those companies exist, because there is a market for such tools. If carriers were prohibited from spying on their users then this wouldn’t be an issue. My biggest concern is not Carrier IQ, but companies that use their products. They are not regulated like banks, and are not required to guard customers data at the level banks do. That exposes a single database with millions of customers to potential hacking attack that, if successful would be devastating to millions of people. Now, how many times those carriers have been hacked, and failed to make that public? We will never know. But, with so many banks being hacked that have much better protection from such attacks I doubt carriers have been hackers free for so long… We should thank our politicians for taking money from industry lobbyists, and creating such huge security flows…

This video shows an app that has clearly been given the “keys to the kingdom”in terms of what it has access to on the device. Moreover, it is very poorly written in terms of both resource use and proper respect for customer data.

However, what this video shows does not yet constitute a serious violation of privacy, as the logs that you are seeing are on-device only and I see no evidence that the information is shared with anybody.

I would personally avoid any application (or device that contains an application) that places my private data, including TEXTs, URLs or typed text, in the un-encrypted application logs.

However, I would only sue if I could prove that this data were share with someone–in other words, if it were sent off my device.

My point is this: the next step in investigation of this mal-ware must be to see what is done with the data that is collected. Carrier IQ should lead the way with clear and honest disclosure, and we geeks should fill in with thorough and honest experimentation.

I thought the video contained proof of instances of information being transmitted to Carrier IQ’s servers before actually sending it to the intended recipients. I believe the gentleman demonstrated an instance of this action while sending an SMS based text message.